'''Blackberry Forensics''' is a page dedicated to the forensics world. This page should contain all the necessary steps to acquire data from a BlackBerry Device.

+

'''Carving''' is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.

−

<br/>

+

−

<br/>

+

−

== Warning for BlackBerry Forensics ==

−

[[BlackBerry]] devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.

−

[[Image:Image1.jpg|none|thumb]]

+

=File Carving=

−

If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry.

+

Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. [[Semantic Carving]] performs carving based on an analysis of the contents of the proposed files.

−

[[Image:Image2.jpg|none|thumb]]

+

File carving should be done on a [[disk image]], rather than on the original disk.

−

The device will then wipe. It will be reset to the factory out-of-the-box condition (default folder structure), and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.

+

File carving tools are listed on the [[Tools:Data_Recovery]] wiki page.

−

Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.

+

Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as [[JPEG]]s being embedded into [[Microsoft]] [[DOC|Word documents]]. This may be considered an advantage or a disadvantage, depending on the circumstances.

+

Today most file carving programs will only recover files that are contiguous on the media.

−

== Acquiring BlackBerry Backup File (.ipd) ==

+

== FIle Carving Taxonomy==

−

* Version 4.6 was used in this example

+

[[Simson Garfinkel]] and [[Joachim Metz]] have proposed the following file carving taxonomy:

−

Prerequisites:<br/>

+

;Header/Maximum (file) size Carving

−

Download and install Blackberry Desktop Manager. <br/>

+

:A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG, MP3) do not care if additional junk is appended to the end of a valid file.

−

Use the following link to select and download the install file that fits your system or version. <br/>

The IPD file can be read using several commercial utilities, including the [[MagicBerry IPD Reader]] and the [[Amber Blackberry Converter]]. The example below was created using version 6.7 of the latter.

+

−

+

−

<br>1. Use File | Open and point the program to the BlackBerry backup file (.ipd).

+

−

+

−

[[Image:ABCOpen.JPG|none|thumb]]

+

−

+

−

<br>2. Navigate to the appropriate content by using the navigation icons on the left and/or top.

+

−

<br>[[Image:ABCView.JPG|none|thumb]]<br>

+

−

<small>click for enlarged version</small>

+

−

<br>

+

−

+

−

=== Advanced Export Options ===

+

−

You may also export each subsection of acquired data to different file types such as pdf, txt, and html, etc.<br>

+

−

1. Select the appropriate content from the navigation items on the left.<br>

+

−

2. Either select an individual row or click "Select All" to export all rows.<br>

+

−

[[Image:ABCExportSelectAll.JPG|none|thumb]]<br><br>

+

−

3. Click "Fields to export" button<br>

+

−

+

−

[[Image:ABCExportButton.JPG|none|thumb]]<br><br>

+

−

+

−

4. Select all the criteria for that subsection in which you wish to export and click "OK"<br>

* You may purchase a copy of Device Seizure on Paraben's Website [http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=405 here].

+

−

As an alternative to acquiring the Blackberry through Amber Blackberry Converter, Paraben's Device Seizure is a simple and effective method to acquire the data. The only drawback, is that this method takes significantly more time to acquire than using Amber Blackberry Converter.

+

−

+

−

1. Create a new case in Device Seizure with File | New.

+

−

+

−

2. Give the case a name and fill in any desired information about the case on the next two screens. The third screen is a summary of the data entered. If all data is correct click Next and then Finish.

+

−

+

−

3. You are now ready to acquire the phone. Go to Tools | Data Acquisition.

+

−

+

−

4. You are prompted for the supported manufacturer. Select RIM Blackbery (Physical).<br/>

+

−

[[Image:Image10.JPG|none|thumb]]<br/><br/>

+

−

+

−

5. Leave supported models at the default selection of autodetect.<br/>

+

−

[[Image:Image11.JPG|none|thumb]]<br/><br/>

+

−

+

−

6. Connection type should be set to USB.<br/>

+

−

[[Image:Image12.JPG|none|thumb]]<br/><br/>

+

−

+

−

7. For data type selection select Logical Image (Databases).<br/>

+

−

[[Image:Image13.jpg|none|thumb]]<br/><br/>

+

−

+

−

8. Confirm your selections on the summary page and click Next to start the acquisition.

+

−

<br/>

+

−

Now wait until the program is done acquiring data from the device. <br/><br/>

+

−

Please Note: In some instances the wait can be up to 30-45 minutes.

+

−

<br/><br/>

+

−

+

−

== BlackBerry Simulator ==

+

−

* For simulating a backup copy of the physical device. This is helpful if the device is low on battery, needs to be turned off,

+

−

* or you don't want to alter the data on the physical device.

+

−

+

−

This is a step by step guide to downloading and using a BlackBerry simulator. In this example the version 4.0.2 was used in order to simulate the 7230 series.

+

−

<br/><br/>

+

−

+

−

1. Select a simulator to download from the drop-down list on the [https://www.blackberry.com/Downloads/entry.do?code=060AD92489947D410D897474079C1477 BlackBerry website].

+

−

*For this example look through the list and download BlackBerry Handheld Simulator v4.0.2.51.

+

−

+

−

2. Then click ''Next''.

+

−

+

−

3. Enter your proper user credentials and click ''Next'' to continue.

+

−

+

−

4. On the next page, reply accordingly to the eligibility prompt and click ''Next'' to continue.*

+

−

+

−

5. Agree or disagree to the SDK agreement and click ''Submit'' to continue.*

+

−

+

−

6. The next page will provide you with a link to download the .ZIP file containing the wanted simulator.

+

−

* - If you disagree at any of these points you will not be able to continue to the download.

+

−

+

−

7. Extract the files to a folder that can easily be accessed (I used the desktop).

+

−

+

−

8. In that folder, find the xxxx.bat file (where xxxx is the model number of the device that is being simulated). The simulator should now open an image that resembles the phone.

10. Open BlackBerry Desktop Manager. If there are no Outlook profiles created there will be a prompt on how to create one. Click ''OK'' to continue. If the BlackBerry xxxx Simulator has properly connected to the BlackBerry Desktop Manager, ''Connected'' should be displayed at the bottom of the BlackBerry Desktop Manager window. Refer to ''Figure BS-2'' for further assistance.

12. Navigate to the directory where an .ipd file that has been previously backed up is stored and select Open to load that file to the Simulator. See the Acquiring BlackBerry Backup File section above on information on how to backup a physical BlackBerry.

+

−

+

−

== Blackberry Protocol ==

+

−

http://www.off.net/cassis/protocol-description.html

+

−

+

−

Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.

Revision as of 19:04, 1 March 2007

Carving is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.

Contents

File Carving

Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. Semantic Carving performs carving based on an analysis of the contents of the proposed files.

File carving should be done on a disk image, rather than on the original disk.

Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as JPEGs being embedded into MicrosoftWord documents. This may be considered an advantage or a disadvantage, depending on the circumstances.

Today most file carving programs will only recover files that are contiguous on the media.

FIle Carving Taxonomy

A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG, MP3) do not care if additional junk is appended to the end of a valid file.